<<< Date Index >>>     <<< Thread Index >>>

Re: An Auction Site for Vulnerabilities



Ivan . wrote:
I thought this may interest some

http://www.darkreading.com/document.asp?doc_id=128411&WT.svl=news1_1

There has been recent article about people who sell vulnerability data in New Scientist as well (16.6.2007., page 30: "Murky trade in bugs plays into the hands of hackers").

It seems that idea of having sites where one can sell the vulnerability data is catching up on journalists. This is not a good thing, because the newspapers are going to give chance for people who sell their stuff to give apologetic and maybe sort of heroic excuses ("I spent so much time, but nobody cared; now they are going to buy the results of my genius!") for their unethical deeds.

At the same time, those journalists probably do not see that there's mature "market" that gives this same information for free (and for fame), giving companies a chance to fix the problem for free and give the fix away for free, thus benefiting everyone (which is just as well genius, and much, much more noble).

There, it is easy to jump into conclusions. For example, that it is Ok to sell vulnerability data, as it seems that government is ready to cash out for some of it (as U.S. government presumably did for Samba vulnerability in New Scientist article). And, as the article did not let the reader know of an alternative (a place such as this one, where people give away their knowledge of vulnerabilities for free), there's no reason not to conclude that finding bugs in code is great way to earn money. Talk about the message to the little kids.

Add this to a thing such as "e-bay for vulnerabilities", and you get a really nice black market being marketed as "just another business"; with articles like these, more and more young people will get into bug hunt in order to gain money. Some of them will fall victim to the same guys who run Internet scams and fuel spam pestilence; some might end up selling data to criminals to break in or blackmail some company (and might end up in jail themselves).

Why, yes, of course - there always were, and there are always going to be people ready to buy a vulnerability and people eager to sell it for a nice sum; what bothers me here is that the journalism is looking at them without a critical eye, like some sort of Evil Geinus meets Robin Hood - therefore giving the public wrong messages and making people who disclose their data for free look rather silly.

I think the journalists should dig in to ethics first, and understand that topic well - before they go to lengths writing about selling Samba vulnerabilities to some friendly and totally-not-total-control-eager government (who's going to retain it for nine months before the hole is discovered and plugged by someone else - read NS article!).